Home improvement startup Houzz revealed that it suffered a data breach. The company said in a FAQ on its website that the breach was discovered in late December 2018, and that “a file containing some of our user data was obtained by an unauthorized third party.”
Once its security team became aware of the issue, it immediately launched an investigation with assistance from a leading forensics firm. It also notified law enforcement authorities, as well as any customers that might have been impacted by the incident.
Though Houzz is still investigating, it said that sensitive personal information — such as Social Security numbers and payment card, bank account or other financial information — was not affected by the breach. Some of the information that was compromised included publicly visible information from a Houzz user’s profile; certain internal identifiers and fields, such as the country of the site used; internal account information, such as user ID, IP address and one-way encrypted passwords salted uniquely per user; and some publicly available account information, like current and past Houzz usernames.
“We do not believe that any passwords were compromised because we do not actually store passwords, except in a one-way encrypted form that is salted uniquely per user,” the company wrote. “However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”
Houzz, valued at $4 billion, recently laid off around 110 people in the U.K. and Germany, as well as 70 in the United States.
“We restructured our international marketplace workforce, primarily in our U.K. and Berlin offices, so that we can double down on the areas that will have the greatest impact for Houzz,” said a spokesperson, according to reports.